View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 4836 | Composr | core | public | 2022-04-29 07:27 | 2022-05-16 06:17 |
| Reporter | Chris Graham | Assigned To | Chris Graham | ||
| Priority | normal | Severity | Security-hole | ||
| Status | resolved | Resolution | fixed | ||
| Product Version | 10.0.41 | ||||
| Fixed in Version | 10.0.42 | ||||
| Summary | 4836: Spammers may create new themes | ||||
| Description | There is a possibility to craft a special URL that results in themes being auto-created. This is not known to create any critically serious issue, but it does create some moderately serious issues: 1) the filesystem is polluted with the spammy theme directories 2) the theme selector will contain the spammy theme entries, if enabled (by default it is not, and is not on the vast majority of Composr sites) 3) the Admin Zone UI will show the spammy themes | ||||
| Tags | No tags attached. | ||||
| Attach Tags | |||||
| Attached Files | |||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
|
|
Automated response: Spammers may create new themes There is a possibility to craft a special URL that results in themes being auto-created. This is not known to create any critically serious issue, but it does create some moderately serious issues: 1) the filesystem is polluted with the spammy theme directories 2) the theme selector will contain the spammy theme entries, if enabled (by default it is not, and is not on the vast majority of Composr sites) 3) the Admin Zone UI will show the spammy themes |
|
|
Fixed in git commit 599ccd9cfa (https://gitlab.com/composr-foundation/composr/commit/599ccd9cfa - link will become active once code pushed to GitLab) A hotfix (a TAR of files to upload) has been uploaded to this issue. These files are made to the latest intra-version state (i.e. may roll in earlier fixes too if made to the same files) - so only upload files newer than what you have already. If there are files in a hot-fix that you don't have then they probably relate to addons that you don't have installed and should be skipped. Always take backups of files you are replacing or keep a copy of the manual installer for your version, and only apply fixes you need. These hotfixes are not necessarily reliable or well supported. Not sure how to extract TAR files to your Windows computer? Try 7-zip (http://www.7-zip.org/). |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2022-04-29 07:27 | Chris Graham | New Issue | |
| 2022-04-29 07:27 | Chris Graham | Assigned To | => Chris Graham |
| 2022-04-29 07:27 | Chris Graham | Status | Not Assigned => Resolved |
| 2022-04-29 07:27 | Chris Graham | Resolution | open => fixed |
| 2022-05-16 06:17 | Chris Graham | View Status | private => public |
